How to extract xml value having multiple same chil...

Vkeshar · ‎09-09-2022

I have following sample XML event where I want to extract specific value for a child tag . Ex when <Order fact> value is 'Place' then extract <Orderupdatevalue> which is false

<OrderUpdateField>
<OrderFacts>Place</OrderFacts>
<OrderDataType>String</OrderDataType>
<OrderUpdateValue>False</OrderUpdateValue>
<OrderFacts>Number</OrderFacts>
<OrderDataType>Integer</OrderDataType>
<OrderUpdateValue>1</OrderUpdateValue>
<OrderFacts>Location</OrderFacts>
<OrderDataType>String</OrderDataType>
<OrderUpdateValue>Earth</OrderUpdateValue>
</OrderUpdateField>

kamlesh_vaghela · ‎09-26-2022

@Vkeshar

It looks like you need the first value from multivalued data.

Can you please try this?

YOUR_SEARCH | spath
| eval OrderFacts=mvindex('OrderUpdateField.OrderFacts',0), OrderUpdateValue=mvindex('OrderUpdateField.OrderUpdateValue',0)
| table OrderFacts OrderUpdateValue

My Sample Search :

| makeresults | eval _raw="<OrderUpdateField>
     <OrderFacts>Place</OrderFacts>
     <OrderDataType>String</OrderDataType>
      <OrderUpdateValue>False</OrderUpdateValue>
     <OrderFacts>Number</OrderFacts>
     <OrderDataType>Integer</OrderDataType>
     <OrderUpdateValue>1</OrderUpdateValue>
     <OrderFacts>Location</OrderFacts>
    <OrderDataType>String</OrderDataType>
    <OrderUpdateValue>Earth</OrderUpdateValue>
</OrderUpdateField>" | spath
| eval OrderFacts=mvindex('OrderUpdateField.OrderFacts',0), OrderUpdateValue=mvindex('OrderUpdateField.OrderUpdateValue',0)
| table OrderFacts OrderUpdateValue

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

How to extract xml value having multiple same child tag?

XML

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation